package com.cmw.core.security.xss;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * 跨站点攻击（XSS）请求处理类
 * 
 * @author	chengmingwei
 * @date	2015年4月7日 下午2:56:42
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
	 HttpServletRequest orgRequest = null;  
	 static HTMLFilter xssFilter = HTMLFilter.getInstance();
	 
	 public XssHttpServletRequestWrapper(HttpServletRequest request) {  
		 super(request);  
		 orgRequest = request;  
	 }  
	  
	 /** 
	 * 覆盖getParameter方法，将参数名和参数值都做xss过滤。 
	 * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取 
	 * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 
	 */  
	 @Override  
	 public String getParameter(String name) {  
		 String value = super.getParameter(xssEncode(name));  
		 if (value != null) {  
		 value = xssEncode(value);  
		 }  
		 return value;  
	 }  
	  
	 /** 
	 * 覆盖getHeader方法，将参数名和参数值都做xss过滤。 
	 * 如果需要获得原始的值，则通过super.getHeaders(name)来获取 
	 * getHeaderNames 也可能需要覆盖 
	 */  
	 @Override  
	 public String getHeader(String name) {  
		 String value = super.getHeader(xssEncode(name));  
		 if (value != null) {  
		 value = xssEncode(value);  
		 }  
		 return value;  
	 }  
	  
	 /** 
	 * 将容易引起xss漏洞的半角字符直接替换成全角字符 
	 *  
	 * @param s 
	 * @return 
	 */  
	 public static String xssEncode(String s) {  
		 if (s == null || s.isEmpty()) {  
			 return s;  
		 }  
		 s = xssFilter.filter(s);
		 return s;
	 }  
	  
	 /** 
	 * 获取最原始的request 
	 *  
	 * @return 
	 */  
	 public HttpServletRequest getOrgRequest() {  
		 return orgRequest;  
	 }  
	  
	 /** 
	 * 获取最原始的request的静态方法 
	 *  
	 * @return 
	 */  
	 public static HttpServletRequest getOrgRequest(HttpServletRequest req) {  
		 if (req instanceof XssHttpServletRequestWrapper) {  
		 return ((XssHttpServletRequestWrapper) req).getOrgRequest();  
		 }  
		 return req;  
	 }  
	 
	 public static void main(String[] args){
		 String xxsHtml = "\"><script>alert('ok')</script>";
		 System.out.println(xssEncode(xxsHtml));
	 }
}
